Restricted Scope of ISO 13485 Certification

[KatieQA]

Hey all - long-time lurker, first-time poster. I'm in the process of getting my IVD company ISO 13485 certified under MDSAP. We passed our Stage 1 with flying colors. Now it's crunch time for our Stage 2. We are considering restricting our scope to drop production for the time being. Here's the question I'm trying to answer:

When does a company *really* need their production certified? Is it:
-Prior to producing clinical study devices? (Or are those part of Design and Development?)
-Prior to first 510k and concurrent FDA registration (or is a Design and Development scoped cert sufficient for this)
-Prior to producing the first medical devices that will be sold?

Thanks in advance!

 

[yodon]

First off, separate FDA, IVDR, MDSAP, and 13485. While there's overlap, there are distinct differences.

FDA doesn't require 13485 certification. To enable distribution in the US, you only require clearance through the 510(k). They *may* accept the MDSAP audit results in lieu of doing an inspection (it's by no means a guarantee). FDA also requires that you register as a device manufacturer.

IVDR doesn't exactly require the company's QMS to be certified to 13485 - but it's the easiest route. To enable distribution in the EU, your product needs to be CE marked. That's a process of demonstrating compliance to the IVDR (and in which one element is that your quality system meets requirements - which is generally demonstrated by certification).

Premarket clinical studies are kind of odd ducks. I believe it's typical for those to be governed by an external body (e.g., IRB) and they may require specific safety or performance requirements be demonstrated prior to initiating the trial.

Circling back to your question: why would you want to exclude production "for the time being?" Expanding scope later just means additional audits.

 

[KatieQA]

Circling back to your question: why would you want to exclude production "for the time being?" Expanding scope later just means additional audits.

All very good points, and helpful. We are considering excluding it because we are concerned we won't have sufficient evidence to audit by our audit date. For example, we won't have process or software tool validations complete. Functionally, for our medical devices, we will be in a design and development state until about our first surveillance audit a year from now. At which time, we could expand scope concurrent to the surveillance audit. (Perhaps of note - we have non-medical devices in production now, and are in the process of implementing our newly developed ISO compliant SOPs onto those products, but the process is taking longer than anticipated)

So if I'm reading your reply correctly, there is no specific regulatory requirement for timing of ISO 13485 cert with full scope, but it is helpful (perhaps very helpful) to have in place prior to FDA registration and CE mark. And may also be helpful for premarket clinicals depending on IRB, protocol, etc. Is that a fair assessment?

 

[yodon]

FDA doesn't consider 13485 certification. Your 510(k) has to have data which demonstrates substantial equivalence to the predicate. You do have to have a Quality System but you have to address the FDA requirements (which should have been covered in the MDSAP audit), not 13485.

For CE marking, having 13485 certification is, indeed, the easiest path.

I would talk to your ISO registrar about scope and timing. If you have a plan for completing those activities, they *may* accept. It's typical that not everything is fully in place (e.g., postmarket surveillance - actually implementing it - you do need the procedures). If you're not planning on marketing in the EU for over a year, you may want to postpone the Stage II (although they may require that the stage I be re-done). Definitely worth a call.

 

[Sidney Vianna]

We are considering restricting our scope to drop production for the time being.

I think the question you should ask yourself is: What would an ISO 13485 certificate WITHOUT PRODUCTION offer you? How would that benefit you? The CB is expected to scrutinize the scope of certification very carefully, as required in the IAF MD9 Document where it reads:

"...The CAB shall precisely document the scope of certification. The CAB shall not exclude part of processes, products or services (unless allowed by regulatory authorities) from the scope of certification when those processes, products or services have an influence on the safety and quality of products ..."

 

[KatieQA]

I think the question you should ask yourself is: What would an ISO 13485 certificate WITHOUT PRODUCTION offer you? How would that benefit you?

Good question - our goals include demonstrating the ability to meet the requirements to various stakeholders, internal and external; performing design and development under the standard (which admittedly could be done without a cert, but the cert ensures it is truly compliant, with less risk of "rework" or "back-fill" work generating the DHF after the fact); and laying the groundwork for a quick turnaround on transfer to manufacturing / saleable product when the development work is complete.

Open to feedback on the strategy if you or anyone has any thoughts to share

 

[KatieQA]

Good question - our goals include demonstrating the ability to meet the requirements to various stakeholders, internal and external; performing design and development under the standard (which admittedly could be done without a cert, but the cert ensures it is truly compliant, with less risk of "rework" or "back-fill" work generating the DHF after the fact); and laying the groundwork for a quick turnaround on transfer to manufacturing / saleable product when the development work is complete.

Open to feedback on the strategy if you or anyone has any thoughts to share

I should also add - we have other processes in place with evidence - e.g., management reviews, internal auditing, purchasing with supplier controls, CAPA, non-conforming material handling, incoming inspections, training, etc.

 

[Sidney Vianna]

but the cert ensures it is truly compliant,

I don't agree with the premise here. If you are interested in degree of conformity of the existing processes against ISO 13485, I would go with an assessment route. An audit just like a "certification audit" without the pressure, limitations and constraints of a certification audit.

Certificates with serious scope limitations almost always sound as a marketing ploy. Companies issue press releases boasting about their certificates, but NEVER mention that the certificates have limitations.

Good luck.